b'                 Fiscal Year 2002 Evaluation of Information Security\n\n                          at the Railroad Retirement Board,\n\n                          Report No. 02-12, August 27, 2002\n\n\n\n                                    INTRODUCTION\n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\ninformation security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out in excess of $8 billion in benefits during\nfiscal year (FY) 2001.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local (LAN) and wide (WAN) area\nnetworks.\n\nThe major application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration. Each\napplication system is comprised of one or more programs.\n\nOn October 30, 2000, the President signed into law the FY 2001 Defense Authorization\nAct (P.L. 106-398) including Title X, subtitle G, \xe2\x80\x9cGovernment Information Security\nReform (Security Act)." 1 The Security Act requires annual agency program reviews ,\nannual Inspector General security evaluations, an annual agency report to the Office of\nManagement and Budget (OMB), and an annual OMB report to Congress.\n\nIn February 2002, the OIG published \xe2\x80\x9cReview of Information Security at the Railroad\nRetirement Board\xe2\x80\x9d presenting the detailed results of the OIG\xe2\x80\x99s review of the agency\xe2\x80\x99s\ninformation security. That review, conducted pursuant to the Security Act, disclosed\nweaknesses in most areas of the RRB\xe2\x80\x99s information security program. At that time, the\nOIG concluded that significant deficiencies in program management and access\ncontrols made the agency\xe2\x80\x99s information security program a source of material weakness\nin internal control over financial reporting.\n\n\n\n1\n    This legislation is also referred to by the acronym \xe2\x80\x9cGISRA.\xe2\x80\x9d\n\n\x0cObjectives, Scope and Methodology\n\nThe objective of this review was to fulfill the requirements of the Security Act by\nperforming an evaluation of the RRB\xe2\x80\x99s information system security program and\npractices. The scope of this review was information system security at the RRB during\nFY 2002.\n\nIn order to accomplish our objectives, we monitored agency efforts to implement\ncorrective action in response to the findings and recommendations presented in prior\nOIG audit reports as well as third-party evaluations conducted at the request of the OIG\nincluding:\n   \xe2\x80\xa2\t \xe2\x80\x9cInformation Systems Security Assessment Report,\xe2\x80\x9d Defensive Information\n      Operations Group, National Security Agency (NSA), June 28, 2000;\n   \xe2\x80\xa2\t Review of RRB\xe2\x80\x99s Compliance with the Critical Infrastructure Assurance Program,\n      August 9, 2000, OIG Report #00-13;\n   \xe2\x80\xa2\t Review of Document Imaging: Railroad Unemployment Insurance Act Programs,\n      November 17, 2000, OIG Report #01-01;\n   \xe2\x80\xa2   \xe2\x80\x9cSite Security Assessment,\xe2\x80\x9d Blackbird Technologies, Inc. (BBT), July 20, 2001;\n   \xe2\x80\xa2\t \xe2\x80\x9cSecurity Controls Analysis,\xe2\x80\x9d Blackbird Technologies, Inc. (BBT), August 17,\n      2001; and\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d February 5,\n      2002, OIG Report #02-04.\n\nWe also performed tests of selected controls related to disaster recovery and physical\nsecurity.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objectives. Fieldwork was conducted at RRB\nheadquarters during May through June 2002.\n\n\n                             RESULTS OF EVALUATION\n\n\nAgency management has begun the process of strengthening information security.\nHowever, significant weaknesses in access controls and program management\ncontinue to exist. As a result, information security remains an area of material\nweakness in internal control.\n\nCorrective action has not been sufficient to eliminate the most significant weaknesses in\nprogram management and access controls. Program management continues to be\nsignificantly undermined by a lack of training among key personnel. Access controls\ncannot be considered fully effective because of the weaknesses in account\nmanagement in both the mainframe and end-user computing environments.\n\x0cIn our previous report, we cited the absence of a strong framework with a central\nmanagement focal point as the underlying cause of many situations in which the\ncontrols that have been designed and put into operation were less than fully effective.\nSince that initial assessment, the RRB\xe2\x80\x99s Chief Information Officer has appointed a\nSecurity Officer to lead the newly created Risk Management Group within the Bureau of\nInformation Services. However, it would be premature to assess the impact of that\nappointment, made in February 2002, on management effectiveness.\n\nThe following sections of this report detail our findings with respect to management\xe2\x80\x99s\nplans to remedy the previously identified weaknesses in the RRB\xe2\x80\x99s information security\nprogram and the status of prior recommendations for corrective action. We have also\nincluded new findings and recommendations for improvements to the agency\xe2\x80\x99s disaster\nrecovery program.\n\n\nAgency\xe2\x80\x99s Plan of Action\n\nThe Security Act requires that agencies prepare an action plan, including target dates\nfor implementation, to remedy any significant deficiencies in information security.\n\nIn October 2001, the agency prepared and submitted to OMB an action plan to\nstrengthen its information security program. As of June 2002, the original 15 planned\ncorrective actions had been increased to 16, and the agency had reported full\nimplementation in six areas.\n\nWe concur with the agency\xe2\x80\x99s assessment of the status of five of the six weaknesses for\nwhich full implementation has been reported. However, we disagree with\nmanagement\xe2\x80\x99s assessment of the status of a prior recommendation for a formal security\ntraining and awareness program. Management\xe2\x80\x99s actions to date are not sufficient to\naddress the original recommendations.\n\nIn April 2002, the RRB\xe2\x80\x99s Management Control Review Committee (MCRC) completed\nits review of the OIG\xe2\x80\x99s detailed findings concerning information security. The MCRC\nagreed that the deficiencies identified by the OIG constitute a material weakness in\ninternal control and a material non-conformance with the financial requirements of the\nFederal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA).\n\nWe have been advised that, based on the MCRC\xe2\x80\x99s concurrence with the findings in the\nOIG\xe2\x80\x99s previous report, the agency will prepare an expanded action plan. Accordingly,\nthe OIG will defer evaluation of the adequacy of the agency\xe2\x80\x99s planned corrective action\nuntil a comprehensive plan has been adopted.\n\n\nStatus of Recommendations for Corrective Action\n\nResponsible management and staff in the Bureau of Information Services have\nimplemented, or plan to implement, most of the recommendations for improved\n\x0cinformation security resulting from evaluations by the OIG and technical specialists\nunder contract to the OIG.\n\nThe OIG monitored 102 recommendations for corrective action. To date, 50 have been\nfully implemented, 10 have been rejected, and 42 are targeted for completion in the next\n18 months.\n\n                         SUMMARY OF AUDIT RECOMMENDATIONS\n                         PERTAINING TO INFORMATION SECURITY\n                               Status as of June 15, 2002\n   Report        Date       No. of Items     Implemented        Pending         Rejected\n\n NSA          06/28/00           19               8                6               5\n OIG 00-13    08/09/00           2                1                1\n OIG 01-01    11/17/00           3                2                1\n BBT          07/20/01           12               6                4               2\n BBT          08/17/01           38               27               8               3\n OIG 02-04    02/05/02           28               6                22\n                               =====            =====            =====           =====\n Totals                         102               50               42              10\n\nAlthough agency management has taken many of the recommended corrective actions,\nthe major changes that will be required to alleviate the significant deficiencies identified\nby the OIG could not be accomplished quickly. For example, although the agency\nprovided basic security awareness training to most employees during FY 2002, this\ntraining falls far short of an ongoing program of security awareness and did little to\nenhance the knowledge, skills or abilities of those charged with the design and\nimplementation of the security program.\n\nSimilarly, implementation of corrective action to strengthen access controls is largely\ndependent on the re-configuration of the hardware and software that support mainframe\nand end-user computing. Such changes can only be implemented as part of the larger\nlong-term planning process.\n\nFinally, the impact of the recent appointment of a Security Officer to lead the newly\ncreated Risk Management Group may not become evident for months, or even years.\n\n\nService Level Agreements\n\nThe Bureau of Information Services\xe2\x80\x99 Service Level Agreements with the end-user\ncomputing community do not address user expectations concerning data backup.\n\nOMB Circular A-130 requires that Federal agencies establish, and periodically test, the\ncapability to continue providing service within a system based upon the needs and\npriorities of the participants of the system. Agency plans should ensure the ability to\nrecover and provide service sufficient to meet the minimal needs of users of the system.\n\x0cDecisions on the level of service needed at any particular time and on priorities in\nservice restoration should be made in consultation with the users of the system and\nincorporated in the system rules.\n\nThe understanding between system users and information technology support\npersonnel is formalized in a written Service Level Agreement.\n\nThe absence of Service Level Agreements for data backup operations weakens the\nagency\xe2\x80\x99s disaster recovery program because the expectations of the user community\nmay be different from actual practice.\n\nRecommendation\n\nThe Bureau of Information Services should develop Service Level Agreements for its\ndata backup operations (Recommendation #1).\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services did not totally concur with the finding. They cited an\nexisting Service Level agreement for mainframe backup procedures and the local area\nnetwork that supports the Bureau of Fiscal Operations. The agency-wide agreement is\ncurrently being revised to incorporate additional aspects of end-user computing needs.\n\nThe full text of management\xe2\x80\x99s response is included as an appendix to this report.\n\n\nLAN Server Not Subject to Backup\n\nDuring our review, we observed a LAN server (identified as the MIPS server) that is not\nsubject to data backup.\n\nOMB Circular A-130 requires that Federal agencies develop disaster recovery plans to\nensure the ability to recover and provide service sufficient to meet the minimal needs of\nusers of the system. The National Institute for Standards and Technology (NIST)\nrecommends regular data backup and the implementation of policies specifying the\nfrequency of backups based on data criticality and the frequency with which new\ninformation is introduced.\n\nThe agency\xe2\x80\x99s LAN data back-up operation does not include the MIPS server because\nthis device has not been designated for backup in the automated backup device.\nBureau personnel could not offer any documentation to support the decision to exclude\nthe MIPS server. As previously discussed, the Bureau of Information Services does not\nhave a Service Level Agreement which would document the basis for this exclusion.\n\nThe Bureau of Information Services has advised us that the MIPS server stores old\nsystem development information, some of which has not been modified recently,\nalthough it may still be in use. However, absent documentation to support a contrary\n\x0cposition, the omission of the MIPS server from LAN back-up operations increases the\nagency\xe2\x80\x99s risk of loss in the event of disaster.\n\nRecommendation\n\nThe Bureau of Information Services should confer with the owners/users of the data\nstored on the MIPS server to determine the appropriate back-up treatment\n(Recommendation #2).\n\nManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation. The full text of\nmanagement\xe2\x80\x99s response is included as an appendix to this report.\n\n\nContract for Disaster Recovery Services\n\nControls over the modification of RRB\xe2\x80\x99s contract for disaster recovery services are not\nadequate to ensure changes are made in accordance with management\xe2\x80\x99s plan.\n\nOMB Circular A-130 requires that the disaster recovery plans of Federal agencies\nensure the ability to recover and provide service sufficient to meet the minimal needs of\nusers of the system.\n\nThe RRB contracts for the equipment and services that will be required to ensure the\nrecovery of mission-critical operations in case of disaster. The present contract has not\nbeen revised to include recent upgrades, including an additional gigabyte of mainframe\nstorage capacity and upgrades to the end-user computing support system.\n\nWe have been advised that the contract was not modified for the upgraded mainframe\nstorage because the previous Chief Information Officer determined that it was not\nnecessary to do so. However, no documentation to support that decision was provided\nfor our review.\n\nOIG auditors could not determine exactly why the contract has not been modified to\nreflect upgrades to the end-user computing support system. Although the discussion of\ncontract modification is ongoing, we do not see evidence of an affirmative decision to\nactually modify the contract, or to delay modification pending further upgrades.\n\nRecommendation\n\nThe Bureau of Information Services should develop controls to ensure that all decisions\nrelated to the disaster recovery contract are formally documented (Recommendation\n#3).\n\x0cManagement\xe2\x80\x99s Response\n\nThe Bureau of Information Services concurs with the recommendation. The full text of\nmanagement\xe2\x80\x99s response is included as an appendix to this report.\n\n\nHardware and Software Inventory Records\n\nDuring the period allotted for fieldwork, Bureau of Information Services personnel were\nunable to provide auditors with a current inventory of the agency\xe2\x80\x99s LAN hardware and\nsoftware. The Bureau of Information Services provided several equipment lists but the\ninformation was not current.\n\nAn up-to-date inventory should be maintained to support financial management, permit\neffective asset management, and facilitate the disaster recovery process. The lack of a\nreadily available inventory indicates that these activities are not adequately served by\ncurrent systems.\n\nIn a previous report, the OIG recommended that the Bureau of Supply and Service\ndevelop and implement a new, comprehensive system of fixed asset accounting and\ninternal control. 2 In that report, the OIG noted that the Bureau of Information Services\nmaintained an equipment inventory separate from the agency\xe2\x80\x99s master accountable\nproperty record.\n\nThe RRB is in the process of implementing a new automated system to support fixed\nasset management. We have been advised that the new system was implemented in\nMay 2002, but the process of ensuring the accuracy and integrity of the data transferred\nto the system is expected to continue at least through the end of the current fiscal year.\nAccordingly, we will make no recommendation for improved inventory accountability at\nthe present time.\n\n\n\n\n2\n OIG report #00-01, \xe2\x80\x9cReview of Internal Control Over Fixed Assets,\xe2\x80\x9d October 5,\n\n1999\n\n\x0c\x0c'